Home / Blogs

More than 85% of Top 500 Most Highly-Trafficked Websites Vulnerable

Elisa Cooper

Over the last 5 years, hacktivists have continued the practice of redirecting well-known domain names to politically motivated websites utilizing tactics such as SQL injection attacks and social engineering schemes to gain access to domain management accounts — and that, in and of itself, is not surprising.

But what IS surprising is the fact that less than 15% of the 500 most highly trafficked domains in the world are utilizing Registry Locking. Granted, Registry Locking is only available across 356 of the top 500 most highly trafficked domains, as not all Registries offer this service.

Registry Locking provides an additional level of security which virtually renders domains impervious to hacktivists, disgruntled employees and erroneous updates. Registry Locked domains are only editable when a unique security protocol is completed between the Registry and the Registrar.

Back in 2010 when I first reviewed the security settings for the top 300 most highly trafficked domains, less than 10% had implemented Registry Locking. So by now, I would have expected that the percentage Registry Locked domains would have increased significantly, but alas it has not.

I am still uncertain as to why the owners of such highly trafficked domains have not taken advantage of this additional layer of security. And as I stated back in 2010, I cannot imagine that the additional fees associated with employing this level of service are the deterrent.

I can only assume that the relatively low adoption rates are attributed to the fact that Registry Locking is still not widely available, and that most domain name owners are unaware of the existence of this service.

By Elisa Cooper, Vice President of Marketing at Lecorpio

Related topics: Cybersecurity, Cybersquatting, Domain Names, Registry Services


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


Thanks for updating the survey of sites, George Kirikos  –  Sep 12, 2013 5:38 AM PDT

Thanks for updating the survey of sites, Elisa. Economics still apply, and a partial explanation would probably involve the costs involved. VeriSign hasn't openly published its fees for the registry lock for .com, but when ICANN approved the service they gave VeriSign unrestricted pricing for the service. Presumably VeriSign has chosen to price it too high, and thus fewer companies can afford it.

Another factor, as you suggest in the last sentence, might be that registrars don't promote it enough, and that's probably intertwined with costs mentioned above. Most registrars (including the "white-glove" ones like MarkMonitor) aren't posting public prices for it on their websites, and thus registrants aren't able to compare prices.

If it was priced on a cost-recovery basis, the costs should be minimal, i.e. on the order of $10 to $20 per "unlock" event (with no annual fees to place a domain name on registry lock or to maintain it in a locked state).

In a properly-designed system, the only time human-verification is really required (and thus when higher costs are faced) is when the registry lock is removed.** Adding it back can and should be totally automated. Removing the lock, and the "out-of-band" verification (by both registrars and the registry) that it requires, is what registrants are ultimately paying for.

**[To be accurate, there are different fine-grained states of the "lock", e.g. one can in theory prevent transfers, but allow nameserver changes, but in practical terms, I think most users would use the registry lock in an "all-or-nothing" manner, with the coarsest settings]

P.S. To show how low the costs George Kirikos  –  Sep 12, 2013 5:51 AM PDT

P.S. To show how low the costs could be, that $10 to $20 per "unlock" event (mentioned in my first comment above) should apply regardless of the number of domains involved in the event. In other words, the registrar (and registry) could unlock 1, 10, 50, 100, or 1000 or more domains all at once, in a bulk transaction (i.e. with a single out-of-band verification for the entire group of domains). That would lower the cost to end-users considerably, since the registrar could batch the requests if they aren't urgent. (Urgent requests could still be handled with a batch size of "1", with the registrant paying more than if it was in a group of say 50 others in a daily batch)

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper


DNS Security

Sponsored by Afilias


Sponsored by Verisign
Afilias Mobile & Web Services

Mobile Internet

Sponsored by Afilias Mobile & Web Services

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Industry Updates – Sponsored Posts

Radix Announces Global Web Design Contest, F3.space

Global Domain Name Registrations Reach 330.6 Million, 1.3 Million Growth in First Quarter of 2017

.TECH Gets Its Big Hollywood Break

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Why the Record Number of Reverse Domain Name Hijacking UDRP Filings in 2016?

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

UDRP: Better Late than Never - ICA Applauds WIPO for Removing Misguided 'Retroactive Bad Faith'

The Rise and Fall of the UDRP Theory of 'Retroactive Bad Faith'

.PRESS Supports Press Freedom Day for 3rd Consecutive Year

Leading Internet Associations Strengthen Cooperation

5 Afilias Top Level Domains Now Licensed for Sale in China

Radix Announces Largest New gTLD Sale with Casino.Online

2016 Year in Review: The Trending Keywords in .COM and .NET Domain Registrations

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

A Look at How the New .SPACE TLD Has Performed Over the Past 2 Years

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service